How to find origin of spam mails in cpanel exim?

How to find origin of spam mails in cpanel exim?

Spamming – You might have the experience or not! It is said to be a message found unsolicited sent from a messaging system to hack our information. It will reflect on your social media too! Let us give you some examples to predict spamming activities in social media, internet forum, Wikipedia, search engine, and messages. Spam types are varied with technology bases such as a foreign bank, phishing, trackback, comment and email spam.

The server uses the MTA to manage the delivery of the email. Exim is the major service in email activity because it deliberately manages the email delivery even it is scripted based program. In future, you may have a situation to cross-check email logs. Here, Exim acts as the main interface to save all the email logs from starting to end.

How to find the IP address of spammers?

Just run the below-mentioned IP address to find the spammers:

# grep “massmailer.php” /home/<username>/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort –n
How to make a list of email senders?

For instance, if you want to make a list of email senders go to Exim mail queue which stores the email list. Run the below script to get email sender list:

# Exim -bpr | grep “<” | awk {‘print$4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort –n
The output will be displayed as:



The numbers displayed at the left is the count of the email sent by senders. For example, has sent 200 emails.

How the spam gets originated?

Usually, the script plays the main role for creating spam mails. In that case, you need to find out which script is actually sending spam mails.

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
Compare the first, second and third script together. You can find the similarities of first and second in third scripts.

Predicting out the result of first and second is mentioned below:

9 cwd=/home/domain1/public_html

10 cwd=/home/domain2/public_html/a1/www

12 cwd=/home/domain3/public_html

71 cwd=/home/domain4/public_html

190 cwd=/home/domain5/public_html/web
How to find the actual script for spamming from the mail server?

We have shown one script of spamming in second part. If at all, you will be known that finding current spamming script is difficult but it’s easy by running below script:

# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head
Place the script location in <location of script>. It shows the actual sending spamming script along with the IP address of the sender. Now, it is possible to block the IP address of the spammer right? Sort out which IP address has more number of access block that immediately by using APF or CSF firewall.

# grep “<script_name>” /home/user/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort –n
Which PHP script sends the email?

Every PHP developer knows the script for sending emails. But it is not possible to get help from them at all time. So, we must know the script to make an immediate solution:

# egrep -R “X-PHP-Script” /var/spool/exim/input/*
Get the domain list by choosing the top 50 then execute the below script:

# eximstats -ne -nr /var/log/exim_mainlogv
Check the home user email sender by running the script mentioned below:

# ps -C exim -fH ewww | grep home
Port 25 – You must know how many IP address is get connected with Port 25 server.

If any of the IP address goes more than 10 limitations of connection then don’t hesitate to block the IP address. It’s the spam content:

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
Have you heard about the issue of spamming called nobody?

To find the currently running spamming script also to freeze nobody spamming sender just execute the script:

# ps -C exim -fH ewww | awk ‘{for(i=1;i<40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort –n
The output will be:

9 PWD=/

238 PWD=/home/sample/public_html/abc
Check the PWD value to know more number of counts. So, open the file to check the inside value such as “/var/spool/mail/var/spool/exim” or /. This is very common so you don’t need to worry about the output.

If you find any spamming activity no more seconds just run the script:

# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort –n
How to get the summary of spam mails?

# exim -bpr | exiqsumm -c | head
The above script will show the summary of spam mails.

Count Volume Oldest Newest Domain

23 211KB 48h 56m

7 24KB 30h 9m
Hope, the information given above will be very useful to you! Predicting the spammers is the most challenging work. You will be occupied by the spammer if you allow them even unconsciously. Situations may vary but precaution is ours!
First release
Last update
0.00 star(s) 0 ratings